Locking a Branch in Subversion

If you branch your code in your subversion repository, you may eventually want to 'lock' or 'freeze' one of the branches you've created, so that developers can't continue to check in code in that branch.

Subversion has a nice lock command, but it doesn't do what we want. It's designed only to indicate to other svn users that a particular developer is working on a file, and as such you can only lock files and anyone can 'steal' a lock.

Instead, the best way to 'lock' a branch is to use path-based access control to make part of your repository read-only. The subversion manual has all the gory details, but briefly, you'll want to:

• Setup an AuthZ rules file
• Add rules to that file to lock certain branches or tags

Here's how you do it.

You need to setup a configuration file to hold the rules governing what part of your repo should be locked.

If you're using apache to serve your subversion repos, you'll want to use the AuthzSVNAccessFile directive to point to your file. Be sure you're loading the mod_authz_svn module in your main httpd.conf.

Here's roughly what your virtual host should look like. Note that I've also included .htaccess authentication.

<VirtualHost  10.0.0.10:80>
  ServerName  svn.mydomain.com

  <Location />
    DAV  svn
    SVNParentPath  /var/svn/repos

    AuthType  Basic
    AuthName  "My SVN Repo"
    AuthUserFile  /path/to/.htaccess/file
    Require  valid-user

    AuthzSVNAccessFile  /path/to/.authz/file

  </Location>
  ...
</VirtualHost>

I usually put the .authz file in the same place as my .htaccess file, so I can easily edit both at once.

If you're using svnserve, you need to make the authz-db variable (within svnserve.conf) point to your rules file.

Once you have the .authz file setup, you'll need to put some rules in. First, you'll probably want to allow anyone who's authenticated full access to your repo (*). Then, you'll want to make certain paths read only. Your authz file might look like this:

# Allow full access to all repos
[/]
* = rw

# Lock MyRepo Branch_A
# Note that you only need the MyRepo: prefix if you have more than one repo
[MyRepo:/branches/branch_a]
* = r

# Lock all tags in all repos; only allow 'david' to create new tags.
[/tags]
* = r
david = rw

(*) Important Note: I'm assuming here that you're a private developer who does not want to make her repository available to the world. Your users will authenticate via either svnserve or apache's .htaccess mechanism, and only after that will they have full access to the repo. If that's not your situation, you may want to adjust your setup.

For more on this, check out:

• A great Stack Overflow post on access control in subversion
• Path based access control in the subversion manual.